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Abstract 

Many Embedded Systems are indeed Software Based Control Systems 
(SBCSs), that is control systems whose controller consists of control soft- 
ware running on a microcontroller device. This motivates investigation on 
Formal Model Based Design approaches for control software. Given the for- 
mal model of a plant as a Discrete Time Linear Hybrid System and the im- 
plementation specifications (that is, number of bits in the Analog-to-Digital 
(AD) conversion) correct-by-construction control software can be automati- 
cally generated from System Level Formal Specifications of the closed loop 
system (that is, safety and liveness requirements), by computing a suitable 
finite abstraction of the plant. 

With respect to given implementation specifications, the automatically 
generated code implements a time optimal control strategy (in terms of set- 
up time), has a Worst Case Execution Time linear in the number of AD bits b, 
but unfortunately, its size grows exponentially with respect to b. In many em- 
bedded systems, there are severe restrictions on the computational resources 
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(such as memory or computational power) available to microcontroller de- 
vices. 

This paper addresses model based synthesis of control software by trad- 
ing system level non-functional requirements (such us optimal set-up time, 
ripple) with software non-functional requirements (its footprint). Our ex- 
perimental results show the effectiveness of our approach: for the inverted 
pendulum benchmark, by using a quantization schema with 12 bits, the size 
of the small controller is less than 6% of the size of the time optimal one. 

Categories and Subject Descriptors 

D.2.2[Software]: Design Tools and Techniques - Computer Aided Software 
Engineering; D. 2. 4 [Software]: Software/Program Verification -Model Checking, 
Formal Methods 

General Terms 

Embedded Systems, Hybrid Systems 

Keywords 

Design and implementation of embedded software, Model- and component- 
based software design and analysis 
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1 Introduction 



Many Embedded Systems are indeed Software Based Control Systems (SBCSs). 
An SBCS consists of two main subsystems: the controller and the plant. Typ- 
ically, the plant is a physical system consisting, for example, of mechanical or 
electrical devices whereas the controller consists of control software running on a 
microcontroller. In an endless loop, the controller reads sensor outputs from the 
plant and sends commands to plant actuators in order to guarantee that the closed 
loop system (that is, the system consisting of both plant and controller) meets 
given safety and liveness specifications (System Level Formal Specifications). 

Software generation from models and formal specifications forms the core of 
Model Based Design of embedded software lfT6l . This approach is particularly 
interesting for SBCSs since in such a case system level (formal) specifications are 
much easier to define than the control software behavior itself. 

The typical control loop skeleton for an SBCS is the following. Measure x of 
the system state from plant sensors go through an analog-to-digital (AD) conver- 
sion, yielding a quantized value x. A function ctrlRegion checks if x belongs to 
the region in which the control software works correctly. If this is not the case a 
Fault Detection, Isolation and Recovery (FDIR) procedure is triggered, otherwise 
a function ctrlLaw computes a command u to be sent to plant actuators after a 
digital-to-analog (DA) conversion. Basically, the control software design prob- 
lem for SBCSs consists in designing software implementing functions ctrlLaw 
and ctrlRegion. 

For SBCSs, system level specifications are typically given with respect to the 
desired behavior of the closed loop system. The control software (that is, ctr- 
lLaw and ctrlRegion) is designed using a separation-of-concerns approach. That 
is, Control Engineering techniques (e.g., see (HI) are used to design, from the 
closed loop system level specifications, functional specifications (control law) for 
the control software whereas Software Engineering techniques are used to de- 
sign control software implementing the given functional specifications. Such a 
separation-of-concerns approach has several drawbacks. 

First, usually control engineering techniques do not yield a formally verified 
specification for the control law when quantization is taken into account. This is 
particularly the case when the plant has to be modelled as a Hybrid System, that is 
a system with continuous as well as discrete state changes [HI [HUH. As a result, 
even if the control software meets its functional specifications there is no formal 
guarantee that system level specifications are met since quantization effects are 
not formally accounted for. 
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Second, issues concerning computational resources, such as control software 
Worst Case Execution Time (WCET), can only be considered very late in the 
SBCS design activity, namely once the software has been designed. As a result, 
the control software may have a WCET greater than the sampling time. This inval- 
idates the schedulability analysis (typically carried out before the control software 
is completed) and may trigger redesign of the software or even of its functional 
specifications (in order to simplify its design). 

Last, but not least, the classical separation-of-concerns approach does not ef- 
fectively support design space exploration for the control software. In fact, al- 
though in general there will be many functional specifications for the control soft- 
ware that will allow meeting the given system level specifications, the software 
engineer only gets one to play with. This overconstrains a priori the design space 
for the control software implementation preventing, for example, effective per- 
formance trading (e.g., between number of bits in AD conversion, WCET, RAM 
usage, CPU power consumption, etc.). We note that the above considerations also 
apply to the typical situation where Control Engineering techniques are used to 
design a control law and then tools like Simulink are used to generate the control 
software. 

1.1 Motivations 

The previous considerations motivate research on Software Engineering methods 
and tools focusing on control software synthesis (rather than on control law syn- 
thesis as in Control Engineering). The objective is that from the plant model (as 
a hybrid system), from formal specifications for the closed loop system behavior 
and from Implementation Specifications (that is, number of bits used in the quanti- 
zation process) such methods and tools can generate correct-by-construction con- 
trol software satisfying the given specifications. 

The tool QKS lETI automatically synthesises control software starting from a 
plant model given as a Discrete Time Linear Hybrid System (DTLHS), the num- 
ber of bits for AD conversion, and System Level Formal Specifications of the 
closed loop system. Besides meeting functional specifications, the generated con- 
trol software meets some non functional requirements: it implements a (near) 
time-optimal control strategy, and it has a WCET guaranteed to be linear in the 
number of bits of the quantization schema. 

The generated code, however, may be very large, since it grows exponentially 
with the number of bits of the quantization schema Il22l . On the other hand, 
controllers synthesised by considering a finer quantization schema usually have 
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a better behaviour with respect to many other non-functional requirements, such 
as ripple and set-up time. Tipically, a microcontroller device in an Embedded 
System has limited resources in terms of computational power and/or memory. 
Current state-of-the-art microcontrollers has up to 512Kb of memory, and other 
design constraints (mainly costs) may impose to use even less powerful devices. 
As we will see in Section [4] by considering a quantization schema with 12 bits 
on the inverted pendulum system, QKS generates a controller which has a size 
greater than 8Mbytes. 

This paper addresses model based synthesis of control software by trading sys- 
tem level non-functional requirements with software non-functional requirements. 
Namely, we aim at reducing the code footprint, possibly at the cost of having a 
suboptimal set-up time and ripple. 

1.2 Our Main Contributions 

Fig. [T] shows the model based control software synthesis flow that we consider in 
this paper. A specification consists of a plant model, given as a DTLHS, System 
Level Formal Specifications that describe functional requirements of the closed 
loop system, and Implementation Specifications that describe non functional re- 
quirements of the control software, such as the number of bits used in the quanti- 
zation process, the required WCET, etc. 

A DTLHS is a discrete time hybrid system whose dynamics is modeled as a 
linear predicate over a set of continuous as well as discrete variables that describe 
system state, system inputs and disturbances. System level safety as well as live- 
ness specifications are modeled as sets of states defined, in turn, as predicates. In 
our setting, as always in control problems, liveness constraints define the set of 
states that any evolution of the closed loop system should eventually reach {goal 
states). 

The control synthesis problem is undecidable for DTLHSs, as it can be shown 
by adapting the proofs in [fT5l for the reachability problem in dense time Hybrid 
Systems. Despite that, non complete or semi-algorithms usually succeed in find- 
ing controllers for meaningful hybrid systems. 

Fig. [T] summarizes the main steps that the tools QKS takes in order to generate 
the control software starting from specifications. First (step 1), a suitable finite 
discrete abstraction (control abstraction [12111 ) % of the DTLHS plant model % 
is computed; H depends on the quantization schema and it is the plant as it can 
be seen from the control software after AD conversion. Then (step 2), given an 
abstraction G of the goal states G, it is computed a controller K that starting from 
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Figure 1 : Control Software Synthesis Flow. 

any initial abstract state, drives % to G regardless of possible nondeterminism. 
Control abstraction properties ensure that K is indeed a (quantized representation 
of a) controller for the original plant H. Finally (step 3), the finite automaton K 
is translated into control software (C code). 

To find the quantized controller K, QKS implements the symbolic (i.e. OBDD 
based) synthesis algorithm in O. Such algorithm finds a time-optimal solution, 
i.e. the controller K drives the system % to G always along shortest paths. The 
finer control abstractions are (i.e. when the quantization schema is more precise), 
the better is the control strategy found. Unfortunately, such time optimal control 
strategies may lead to very large controllers in terms of the size of the generated 
C control software. 

Driven by the intuition that smaller controllers enable the same action in larger 
regions of the set of abstract state space, we design a controller synthesis algorithm 
(Alg.|2]in Section 3.1 ) that gives up optimality and looks for maximal regions that 
can be controlled by performing the same action. We formally prove its correct- 
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ness (Theorem [T]) and completness (Theorem [2]) in Section 3.2 



Experimental results in Section [4] show that such heuristic greatly mitigates 
the exponential growth of the controller size without having a significant impact 
on non-functional system level requirements such as set-up time and ripple. We 
accomplish this result without changing the WCET of the control software. 

For the inverted pendulum benchmark, by using a quantization schema with 
12 bits, the size of our controller is less than 6% of the size of the time optimal 
controller. 



1.3 Related Work 

Control Engineering has been studying control law design (e.g., optimal control, 
robust control, etc.), for more than half a century (e.g., see flU). Also Quan- 
tized Feedback Control has been widely studied in control engineering (e.g. see 
IfTBl ). However such research does not address Hybrid Systems (our case) and, 
as explained above, focuses on control law design rather than on control soft- 
ware synthesis (our goal). Furthermore, all control engineering approaches model 
quantization errors as statistical noise. As a result, correctness of the control law 
holds in a probabilistic sense. Here instead, we model quantization errors as non- 
deterministic (malicious) disturbances. This guarantees system level correctness 
of the generated control software (not just that of the control law) with respect to 
any possible sequence of quantization errors. 

When the plant model is a Linear Hybrid Automaton (LHA) 0]| reachabil- 
ity and existence of a control law are both undecidable problems lfT5l . This, of 
course, has not prevented devising effective (semi) algorithms for such problems. 
Examples are in |fl4l [T2l |29l 1271 

Quantization can be seen as a sort of abstraction, which has been widely stud- 
ied in a hybrid system formal verification context (e.g., see B2l|3l). Note however 
that in a verification context abstractions are designed so as to ease the verifica- 
tion task whereas in control software synthesis quantization is a design require- 
ment since it models a hardware component (AD converter) which is part of the 
specification of the control software synthesis problem. Indeed, in our setting, we 
have to design a controller notwithstanding the nondeterminism stemming from 
the quantization process. As a result, the techniques used to devise clever abstrac- 
tions in a verification setting cannot be directly used in our synthesis setting where 
quantization is given. 

Abstraction based approach to controller synthesis has been also broadley in- 
vestigated. Based on a notion of suitable finite state abstraction (e.g. see fl24l) 
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control software synthesis for continuous time linear systems (no switching) has 
been implemented in the tool PESSOA [|23l . On the same wavelength, [30] gen- 
erates a control strategy from a finite abstraction of a Piecewise Affine Discrete 
Time Hybrid System (PWA-DTHS). Also the Hybrid Toolbox (6) considers PWA- 
DTHSs. Such tools output a feedback control law that is then passed to Matlab 
in order to generate control software. Finite horizon control of PWA-DTHS s has 
been studied using a MILP based approach. See, for example, Q. Explicit finite 
horizon control synthesis algorithms for discrete time (possibly non-linear) hy- 
brid systems have been studied in [fTTI and citations thereof. We note that all such 
approaches do not account for state feedback quantization since they all assume 
exact (i.e. real valued) state measures. Thus, as explained above, they do not offer 
any formal guarantee about system level correctness of the generated software, 
which is instead our focus here. 

Optimal switching logic, i.e. synthesis of optimal controllers with respect to 
some cost function have been also widely investigated. For example, see IfTTi and 
citations thereof. In this paper, we focus on non-functional sofware requirements 
rather than non-functional system-level requirements. 

Correct-by-construction software synthesis in a finite state setting has been 
studied, for example, in [[5l|28l|9]|. Such approaches cannot be directly used in our 
context since they cannot handle continuous state variables. 

Summing up, to the best of our knowledge, no previously published result is 
available about model based synthesis of small footprint control software from a 
plant model, system level specifications and implementation specifications. 



2 DTLHS Control Software 
Synthesis 

To make this paper self-contained, in this section we briefly summarize previous 
work on automatic generation of control software for Discrete Time Linear Hy- 
brid System (DTLHS) from System Level Formal Specifications focusing on basic 
definitions and mathematical tools that will be useful in the sequel. 

Fig. [T] shows the control software synthesis flow that we consider here. We 
model the controlled system (i.e. the plant) as a DTLHS (Section 23]), that is 



a discrete time hybrid system whose dynamics is modeled as a linear predicate 



(Section 2.1 ) over a set of continuous as well as discrete variables. The semantics 



of a DTLHS is given in terms of a Labeled Transition Systems (LTS, Section 2.2 ). 
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Given a plant H modeled as a DTLHS, a set of goal states G (liveness spec- 
ifications) and an initial region I, both represented as linear predicates, we are 
interested in finding a restriction K of the behaviour of H such that in the closed 
loop system all paths starting in a state in / lead to G after a finite number of steps. 
Finding K is the DTLHS control problem (Section 2.3.1 ) that is in turn defined as 
a suitable LTS control problem (Section 2.2.1) . 

Finally, we are interested in controllers that take their decisions by looking 
at quantized states, i.e. the values that the control software reads after an AD 
conversion. This is the quantized control problem (Section [2~4]). 



2.1 Predicates 

We denote with [n] an initial segment {1, . . . ,n} of the natural numbers. We 
denote with X = [x±, . . . , x n ) a finite sequence of variables. By abuse of language 
we may regard sequences as sets and we use U to denote list concatenation. Each 
variable x ranges on a known (bounded or unbounded) interval V x either of the 
reals or of the integers (discrete variables). We denote with V x the set Ylxex 
To clarify that a variable x is continuous (i.e. real valued) we may write x r . 
Similarly, to clarify that a variable x is discrete (i.e. integer valued) we may write 
x d . Boolean variables are discrete variables ranging on the set B = {0, 1}. We 
may write x b to denote a boolean variable. Analogously X r (X d , X b ) denotes the 
sequence of real (integer, boolean) variables in X. Unless otherwise stated, we 
suppose V X r = M |Jfr| and V xd = l) xd \. Finally, if x is a boolean variable we 
write x for (1 — x). 

A linear expression over a list of variables X is a linear combination of vari- 
ables in X with rational coefficients. A linear constraint over X (or simply a con- 
straint) is an expression of the form L(X) < b, where L(X) is a linear expression 
over X and b is a rational constant. In the following, we also write L(X) > b for 
-L(X) < -b. 

Predicates are inductively defined as follows. A constraint C (X) over a list of 
variables X is a predicate over X. If A(X) and B(X) are predicates over X, then 
(A(X) A B(X)) and (A(X) V B{X)) are predicates over X. Parentheses may be 
omitted, assuming usual associativity and precedence rules of logical operators. A 
conjunctive predicate is a conjunction of constraints. For conjunctive predicates 
we will also write: L(X) = b for ((L(X) < b) A (L(X) > b)) and a < x < b for 
x > a A x < b, where x E X. 

A valuation over a list of variables X is a function v that maps each variable 
x E X to a value v(x) E V x . Given a valuation v, we denote with X* E V x the 
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sequence of values [v(xi), . . . , v{x n )\. By abuse of language, we call valuation 
also the sequence of values X*. A satisfying assignment to a predicate P over X 
is a valuation X* such that P(X*) holds. If a satisfying assignment to a predicate 
P over X exists, we say that P is feasible. Abusing notation, we may denote 
with P the set of satisfying assignments to the predicate P(X). Two predicates 
P and Q over X are equivalent, denoted by P = Q, if they have the same set 
of satisfying assignments. Two predicates P(X) and Q(Z) are equisatisfiable, 
notation P ~ Q if P is satisfiable if and only if Q is satisfiable. 

A variable x E X is said to be bounded in P if there exist a, b E V x such 
that P(X) implies a < x < b. A predicate P is bounded if all its variables are 
bounded. 

Given a constraint C(X) and a fresh boolean variable (guard) y £ X, the 
guarded constraint y — > C(X) (if y then C(X)) denotes the predicate ((y = 0) V 
C(X)). Similarly, we use y — > C(X) (if not y then C(X)) to denote the predicate 
((y = 1) V C(X)). A guarded predicate is a conjunction of either constraints 
or guarded constraints. It is possible to show that, if a guarded predicate P is 
bounded, then P can be transformed into an equisatisfiable conjunctive predicate. 

2.2 Labeled Transition Systems 

A Labeled Transition System (LTS) is a tuple S = (S, A, T) where S is a (possibly 
infinite) set of states, A is a (possibly infinite) set of actions, and T : S x A x 
S — > B is the transition relation of 5. We say that T (and 5) is deterministic 
if T(s, a, s') A T(s, a, s") implies s' = s", and nondeterministic otherwise. Let 
s E S and a G A. We denote with Adm(5, s) the set of actions admissible in s, 
that is Adm(5, s) = {a E A \ 3s' : T(s, a, s')} and with Img(5, s, a) the set of 
next states from s via a, that is Img(5, s, a) = {s' E S | T(s, a, s')}. A ran or path 
for an LTS 5 is a sequence 7r = s , ao> s i ; °i) s 2, a 2 , . . . of states s t and actions a t 
such that Vi > T(s t , a t , s t+1 ). The length \n\ of a finite run n is the number of 
actions in n. We denote with n^(t) the (t + l)-th state element of it, and with 
7r^(t) the (t + l)-th action element of it. That is n^(t) = s t , and 7r( A )(t) = a t . 

2.2.1 LTS Control Problem 

A controller for an LTS S is used to restrict the dynamics of S so that all states in 
the initial region will reach the goal region. In the following, we formalize such 
a concept by defining solutions to an LTS control problem. In what follows, let 
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Figure 2: The LTS S in Example [T] 

S = (S, A, T) be an LTS, I,G C S be, respectively, the initial and goal regions 
ofS. 

Definition 1 A controller for S is a function K : 5* x A — > B such that Vs 6 £, 
Va G A ifK(s, a) then 3s' T(s, a, s'). IfK(s, a) holds, we say that the action a 
is enabled by K in s. 

We denote with dom(K) the set of states for which at least an action is en- 
abled. Formally, dom(K) = {s G S \ 3a K(s,a)}. 

We call a controller K a control law if K enables at most one action in each 
state. Formally, K is a control law if, for all s G dom(K), K(s, a) and K(s, b) 
implies a = b. 

S( K ) denotes the closed loop system, that is the LTS (S,A,T^), where 
TW(s, a, s') = T(s, a, s') A K{s, a). 

We call a path n fullpath [5] if either it is infinite or its last state 7r( s )(|7r|) has 
no successors (i.e. Adm(5, 7r( 5 )(|7r|)) = 0). We denote with Path(s, a) the set 
of fullpaths starting in state s with action a, i.e. the set of fullpaths n such that 
vr( 5 )(0) = s and7r^(0) = a. 

Given a path n in S, we define j(S, ir, G) as follows. If there exists n > 
s.t. 7r (5: >(n) G G, then j(S, ir, G) = min{n | n > A 7r (5) (n) G G}. Otherwise, 
j(S, ir, G) = +oo. We require n > since our systems are nonterminating and 
each controllable state (including a goal state) must have a path of positive length 
to a goal state. Taking sup = +oo, the worst case distance of a state s from the 
goal region G is J(S, G, s) = sup{j(5, G, n) | n G Path(s, a), a G Adm(5, s)}. 

Definition 2 An LTS control problem is a triple V = (S, /, G). A strong solution 
(or simply a solution) to V is a controller K for S, such that I C dom(i^) and for 
all s G dom(i^), J(S^ K \ G, s) is finite. 
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An optimal solution to V is a solution K* to V such that for all solutions K to 
V, for all se S, we have J(S^ K *\G,s) < J(S^ K \G,s). 

The most general optimal (mgo) solution to V is an optimal solution K toV 
such that for all optimal solutions K to V, for all s G S, for all a G A we have: 
K(s, a) — > K(s, a). It is easy to see that this definition is well posed (i.e., the mgo 
solution is unique) and that K does not depend on I. 

Example 1 Let S = (3, A, T) be the LTS in Fig. @ where S = {0, 1, 2, 3, 4}, 
A = {0, 1} and the transition relation T is defined by all arrows in the picture. 
Let I = S and let G = {0}. The controller K that enables all dotted arrows 
in the picture, is an mgo for the control problem (S, I, G). The controller K' = 
K\ {(0, 1)} that enables only the action in the state 0, would be still an optimal 
solution, but no more the most general solution. The controller K" = i^U{(3,0)} 
that enables also the action in state 3 would be still a solution ( more general 
than K), but no more optimal. As a matter of fact, in this case 
whereas J(S iK \G,3) = 2. 

2.3 Discrete Time Linear Hybrid Systems 

In this section we introduce the class of discrete time Hybrid Systems that we 
use as plant models, namely Discrete Time Linear Hybrid Systems (DTLHSs for 
short). 

Definition 3 A Discrete Time Linear Hybrid System is a tuple H = (X, U, Y, N) 

where: 

• X = X r UX d is a finite sequence of real ( X r ) and discrete ( X d ) present state 
variables. We denote with X' the sequence of next state variables obtained 
by decorating with ' all variables in X. 

• U = U r U U d is a finite sequence of input variables. 

• Y = Y r U Y d is a finite sequence of auxiliary variables. Auxiliary variables 
are typically used to model modes (e.g., from switching elements such as 
diodes) or "local" variables. 

• N(X,U,Y, X') is a conjunctive predicate over X U U U Y U X' defin- 
ing the transition relation (next state) of the system. N is deterministic if 
N(x, u, i/i, x') A (x, u, JJ2, x") implies x' = x", and nondeterministic other- 
wise. 
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A DTLHS is bounded if predicate N is bounded. A DTLHS is deterministic if 
N is deterministic. 



Since any bounded guarded predicate can be transformed into an equisatis- 
fiable conjunctive predicate (see Sect. |2.1[ ), for the sake of readability we will 
use bounded guarded predicates to describe the transition relation of bounded 
DTLHSs. To this aim, we will also clarify which variables are boolean, and thus 
may be used as guards in guarded constraints. The semantics of DTLHSs is given 
in terms of LTSs. 



Definition 4 Let H = (X, U, Y, N) be a DTLHS. The dynamics ofH is defined 
by the Labeled Transition System LTS("H) = (T> x , T> Ut N) where: N : V x x 
T>u x V x — > B is a function s.t. N(x, u,x') = 3 y e V Y N(x, u, y, x'). A state 
x for % is a state x for LTS(H) and a run (or path) for H is a run for LTS("H) 



(Sect. 2.2) 



Example 2 Let Tbe a positive constant (sampling time). We define the DTLHS H 
= ({x}, {u}, 0, N) where x is a continuous variable, u is a boolean variable, and 

N(x,u,x') = [u -> x' = x+(l~x)T]A[u ->■ x' = x+(x-\)T\. Since iV(|, 0, |) 
holds, the infinite path 7Tq = |, 0, |, . . . is a run in LTS(7i) = (R, {0, 1}, N). 



2.3.1 DTLHS Control Problem 

A DTLHS control problem ("H, J, G) is defined as the LTS control problem (LTS (H) , 
/, G). To accommodate quantization errors, always present in software based 
controllers, it is useful to relax the notion of control solution by tolerating an 
(arbitrarily small) error e on the continuous variables. This leads to the defini- 
tion of e-solution. Let £ be a nonnegative real number, W C W 1 x Z m . The 
e-relaxation of W is the set (ball of radius e) B e (W) = {(z\, . . . z n , q\, . . . q m ) \ 
3(xx, . . . ,x n ,qi, . . .q m ) G W and Wi e [n] \zi - x { \ < e). 

Definition 5 Let (H, I, G) be a DTLHS control problem and e be a nonnegative 
real number. An e solution to I, G) is a solution to the LTS control problem 
(LTS(%), /, B £ {Gj). 

Example 3 Let % be the DTLHS in Example^ Let V = (%, I, G) be a control 
problem, where I = —2 < x < 2.5, and G = x = 0. A controller may drive 
the system near enough to the goal x = 0, by enabling a suitable action in such 
a way that x' < x when x > and x' > x when x < 0. If the sampling 
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time T is small enough with respect to e (for example T < the controller: 
K(x } u) = (-2 < x < A u) V (0 < x < f An) V (f < x < 2.5 A u) 
is an e solution to {H 1 /, G). Observe that any controller K' such that if' (§, 0) 
holds is not a solution, because in such a case may loop forever along the 
path 7r of Example^ 

2.4 Quantized Control Problem 

In order to manage real valued variables, in classical control theory the concept 
of quantization is introduced (e.g., see [13]). Quantization is the process of ap- 
proximating a continuous interval by a set of integer values. In the following we 
formally define a quantized feedback control problem for DTLHSs. 

A quantization function 7 for a real interval / = [a, b] is a non-decreasing 
function 7 : / i-> Z s.t. 7(f) is a bounded integer interval. We will denote 
7(7) as / = [7(a), 7(6)]. The quantization step of 7, notation ||7||, is defined 
as sup{ \w — z\ I w,z E I A 7(10) = l{z)}. For ease of notation, we extend 
quantizations to integer intervals, by stipulating that in such a case the quantization 
function is the identity function. 

Definition 6 Let H = (X, U, Y, N) be a DTLHS, and let W = X U U U Y. A 
quantization Qfor V. is a pair (A, T), where: 

• A is a predicate over W that explicitely bounds each variable in W. For 
each w G W, we denote with A w its admissible region and with A\y = 

• r is a set of maps T = {7^ | w G W and j w is a quantization function for 

Let W = [wi, . . . Wk] and v = [vi,...Vk] G Aw- We write T(t>) for the tuple 
[jw^Vi), ■ ■ ■ Jw k (vk)]. Finally, the quantization step ||r|| is defined as sup{ ||7|| | 7 G 

n- 

A control problem admits a quantized solution if control decisions can be made 
by just looking at quantized values. This enables a software implementation for a 
controller. 

Definition 7 Let H = (X, U, Y, N) be a DTLHS, Q = (A, T) be a quantization 
for H and V = (W,, I, G) be a DTLHS control problem. A Q Quantized Feedback 
Control (QFC) solution to V is a ||r|| solution K(x, u) to V such that K(x, u) = 
K(T(x),T(u)) where K : T(A X ) x T(Au) -> B. 
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Example 4 Let V be as in Example [5] Let us consider the quantization (A, T) 
where A = I andY = {7^} where j x (x) = [x\. The setT(A x ) of quantized states 
is the integer interval [—2, 2]. No Q QFC solution can exist, because in state 1 
either enabling action 1 or action allows infinite loops to be potentially executed 
in the closed loop system. The controller K in Example \3\ can be obtained as a 
quantized controller decreasing the quantization step, for example by taking T = 
{%} where %(x) = [8x\. 

3 Small Controllers Synthesis 

It may be shown that, as expected within the framework defined in the previous 
section, when finer (i.e. with more bits) quantization schemas are considered 
better controllers are found, in terms of set-up time and ripple (see Sect. On 
the other hand, the size of the controller code grows exponentially with the number 
of bit of the quantization schema. In this section we will show how we may obtain 
a smaller size of controller code, while retaining results on non-functional system 
level requirements such as set-up time and ripple. 

QKS control synthesis procedure implements function mgoCtr in Alg.[2j which 
adapts the algorithm presented in J9]|. Starting from goal states, the more general 
optimal controller is found incrementally looping backward, adding at each step 
to the set of states D(s) controlled so far, the strong preimage of D(s), i.e. the set 
of states for which there exists at least an action a that drives the system to D(s), 
regardless of possible nondeterminism. 

Algorithm 1 Building a strong mgo for an LTS control problem 
Input: An LTS control problem {S, I,G),S = {S, A, T). 
function mgoCtr(S , I , G) 

1. K(s, a) <- 0, D(s) <- G(s), D(s) <- 

2. while D(s) ^ D(s) do 

3. F(s, a) <- 3s' T(s, a, s') A W [T(s, a, s') D(s')} 

4. K(s, a) <- K(s, a) V (F(s, a) A fla K(s, a)) 

5. D(s) <- D(s), D(s) <- D(s) V 3a K{s, a) 

6. return (Vs [J(s) =^ 3a K(s, a)], 3a K(s, a), K(s, a)) 



Driven by the intuition that smaller controllers enable the same action in larger 
regions of the set of abstract state space, we modify mgoCtr search algorithm as 
follows. 
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We compute the strong preimage by finding maximal regions of states from 
which the system reaches D in one or more steps by repeatedly performing the 
same action. To this end, each preimage computation involves finding a family 
of fixpoints E(s, a): for each action a, E(s, a) corresponds to the maximal set of 
states from which D is reachable by repeatedly performing the action a only. 

Algorithm 2 Symbolic Algorithm for Controller Synthesis for an LTS control 
problem 

Input: LTS control problem (S, I, G), with LTS S = (S, A, T) 
function smallCtr(S, I, G) 

1. K(s,a) <- 0,D(s) <- 

2. repeat 

3. 0(s) <- D(s) V G(s) 

4. E(s,a) <- 

5. repeat 

6. F(s, a) <- 3s'T(s, a, s')A 

7. W[T(s,a,s , )=>E{8 , ,a)VO(8')] 

8. E(s, a) <- E(s, a), E(s, a) <- E(s, a) V F(s, a) 

9. until E(s, a) = E(s, a) 

10. for all a e A do 

11. _ K(s, a) <- K(s, a) V (E(s, a) A a = a A flb K(s, b)) 

12. D(s) <- D(s),D(s) <- D(s) V3aK(s,a) 

13. until D(s) = D(s) 

14. return (Vs [/(s) ^> 3ai^(s, a)], 3aif(s, a), iT(s, a)) 



3.1 Control Synthesis Algorithm 

Our controller synthesis algorithm is shown in Alg.|2j Function smallCtr(S ', /, G) 
computes a maximal solution (Theorem [2]) to the control problem (*S, /, G) im- 
plementing the heuristic described above in order to obtain a succint controller, 
i.e. representable with an OBDD (and hence C code) much smaller than the one 
needed for the mgo. 

In Alg. [2] if (s, a) denotes the OBDD that represents the controller computed 
so far and D(s) is the OBDD that represents its domain. D(s) represents the do- 
main of the controller computed at the previous iteration. The computation starts 
by initializing K(s, a) and its domain D(s) to the empty OBDD, that corresponds 
to the always undefined function and the empty set (line[T|). 
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At each iteration of the outer loop (lines [2- 13 ), a target set of states O(s) is 
considered (line|3]): O(s) consists of goal states G(s) and the set D(s) of already 
controlled states. 

The inner loop (lines [5]-[9]) computes, for each action a, the maximal set of 
states E(s,a) that can reach the target set O(s) by repeatedly performing the 
action a only. In other words, given an action a, E(s, a) is the mgo of the control 
problem (<S', /, O), where the LTS S' = (S, {a}, T") is obtained by restricting the 
dynamics of S to the action a, i.e. T'(s, a, s') = T(s, a, s') A a = a. 

After that, K is updated by adding to it state-action pairs in E(s, a). Instead 
of simply computing K(s, a) = K(s, a) V E(s, a), to keep the controller smaller, 
function smallCtr avoids to add to K possible intersections between any pair of 
sets E(s,a) and E(s,b) for a ^ b (line 11). As a consequence, the resulting 
controller K is a control law, i.e. it enables just one action in a given state s. 

The order in which the loop in lines 10 -11 enumerates the set of actions gives 
priority to actions that are considered before. Let be the sequence 

of actions as enumerated by the for loop. If there exists at least an action a such 
that E(s, a) holds, then we will have that K(s, dk) holds only for a certain such 
that k = min{i | E(s, at)}. In many control problems, it is useful to give priority 
to some actions, e.g. in order to prefer "low power" actions. It is easy to extend 
our approach to deal with such an issue, by simply considering a given order for 
the for loop. 

The computation ends when no new state is added to the controllable region, 
i.e. when D(s), the domain of the controller computed so far, is the same as D(s), 
the domain of the controller computed at the previous iteration. 

Example 5 Let V be the control problem described in Example^ The first itera- 
tion of Alg.^computes the predicate E(s, a) that holds on the set {(0, 0), (0, 1), 
(1,0), (2,0), (3,0), (A,l)},i.e. E(s,a) = E(s,0) V E(s,l), where the set of 
pairs that satisfies E(s, 0) is {(0, 0), (1,0), (2, 0), (3, 0)} and the set of pairs that 
satisfies E(s, 1) is {(0, 1), (4, 1)}. Depending on the order in which the for loop 
in lines [70) - [77] enumerates the set of actions, in the state the resulting controller 
K* enables the action (K*(s, a) = E(s, 0) U (E(s, 1) \ {(0, 1)})) or the action 
1 (K*(s, a) = E(s, 1) U (E(s, 0) \ {(0, 0)})J. Observe that, in any case, K* is not 
optimal. An optimal controller would enable the transition T(3, 1, 1) rather than 
T(3, 0, 2) (see Example^. 

Remark 1 Let ir = s ,a , si, ai, . . . , a n -i, s n be a path. An action switch in 
n occurs whenever ^ a>i+i. Controllers generated by Alg. [2] implement con- 
trol strategies with a very low number of switches. In many systems this is a 
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desirable property. A "switching optimal" control strategy cannot be, however, 
implemented by a memoryless state-feedback control law. As an example, take 
again the control problem V described in Example [7] The controller defined by 
E(s, a) in Example^contains all switch optimal paths. However, to minimize the 
number switches along the paths going through state 0, a controller should en- 
able action when coming from state 1, action 1 when coming from 4, and repeat 
the last action (0 or 1) when the system is executing the self -loops in state 0. In 
other words, only a feedback controller with memory can implement this control 
strategy. 



3.2 Synthesis Algorithm Correctness 
and Completeness 

The following two theorems establish the correctness of Alg. [2j by showing that 
the controller computed by function smallCtr is indeed a solution to the control 
problem given as input (Theorem [T]), and its completness, in the sense that the 
domain of the computed controller is maximal with respect to the domain of any 
other solution (Theorem [2]). 

Theorem 1 Let S = (S, A, T) be an LTS, and I,G C S be two sets of states. 
If smallCtr(S, I, G) returns the tuple (True, D, K), then K is a solution to the 
control problem (S,I,G). 

Proof 1 If smallCtr(S, I, G) returns the tuple (True, D, K), clearly I C <\om(K) 
(see Alg. [2] line 14). We have to show that, for all s G dom(K), J(S^ K \ G, s) is 



finite. 

First of all, we show that, for any predicate E(s,a) computed at the end of 
the inner repeat loop of smallCtr (lines^^^, if E(s, a) holds, then we have that 
J(S^ E \ O, s) is finite. We proceed by induction on the number of iteration of 
the inner repeat loop. To ease notation, the predicate F(s, a) computed in line^ 
during the i-th iteration will be denoted by Fi(s, a). We will show that ifF n (s, a) 
holds, then J(S^ E \ O, s) = n. Clearly if Fi(s,a) holds, then for all s' such 
that T(s, a, s'), s' belongs to O, and hence J(S ( - E \ O, s) = 1. Along the same 
lines, if F n+1 (s, a) holds, then J(S^ E \ F n , s) = 1, and by applying induction 
hypothesis, J(S^ E \ O, s) = n + 1. As for termination, we have that ifE(s, a) 7^ 
E(s, a) then at least one new state has been included in E(s, a). Thus the function 
\S\ — |dom(i?) I is strictly positive and strictly decreasing at each iteration. 
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The outer repeat loop behaves in a similar way. Again, we denote with 
Ei(s,a) the predicate E(s,a) computed in line ^during the i-th iteration. If 
s G dom(K), then Ei(s, a) holds for some i and some a. We now prove the state- 
ment of the theorem by induction on i. If i = 1, we have that 0(s) = G(s) and 
that J(S^ El \ O, s) is finite, and hence trivially J(S^ K \ G, s) is finite. If % > 1, 
then we have that J(S^ Ei \ dom(Ei_i) , s) is finite. Since, by inductive hypothesis, 
also J(S( Ei -*\ O, s) is finite, we have that J(S^ K \ G, s) < J(S (E >\ dom(^_i), 
s) + JiS^- 1 ^, O, s) is finite. 

Theorem 2 Let S = (S, A, T) be an LTS, and I,G C S be two sets of states. 
If smallCtr{S, I, G) returns the tuple (True, D, K), then D = dom(K) is the 
maximal controllable region, i. e. for any other solution K* to the control problem 
(S, I, G) we have dom(K*) C dom(K). 

Proof 2 Let dom n (K) = {s \ J(S^ K \s,G) = n}. We will show by induction 
that, for all n, dom n (K*) C dom(K). 

{n = 1) Let s e domi(K*). Then Adm(5, s) ^ and there exists at least 
an action a G Adm( l S, s) such that K*(s,a) holds. Thus, for all s' such that 
T(s, a, s') we have that s' G G. But this means that F(s, a) holds (Alg. [2] line^ty 
and therefore K(s, a) holds. Hence s G dom(ii'). 

(n > 1) Let s G dom n (K*). Then Adm(S, s) ^ and there exists at least 
an action a G Adm(iS, s) such that K*(s,a) holds. Thus, for all s' such that 
T(s,a, s') we have that s' G dom n _i(if*). By inductive hypothesis, dom n ^i(K*) C 
dom(i^ ). Therefore, for all s' such that T(s, a, s') we have that s' G dom(i^). Let 
us suppose that s ^ dom(K). But this implies that Img(iS, s, a) <2 dom(K), oth- 
erwise Alg. ^would not terminated before adding s to E(s,a) at some iteration. 
This leads to a contradiction, because Img(5, s, a) C dom n _ 1 (_ft'*) C dom(K). 

4 Experimental Results 

In this section we present our experiments that aim at evaluating effectiveness of 
our control software synthesis technique. We mainly evaluate the control software 
size reduction and the impact on other non-functional control software require- 
ments such as set-up time (optimality) and ripple. 

We implemented function smallCtr in C programming language using the 
CUDD IfTOl package for OBDD based computations. The resulting tool, QKS SC , 
extends the tool QKS by adding the possibility of synthesising control software 
(step 2 in Fig.[T]) by using smallCtr instead of the mgo controller synthesis. 
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Figure 3: Inverted Pendulum with Stationary Pivot Point. 



In Section 4.1 and 4.2 we will present the DTLHS models of the inverted 



pendulum and the multi-input buck DC-DC converter, on which our experiments 



focus. In Section 4.3 we give the details of the experimental setting, and finally, 



in Section 4.4, we discuss experimental results. 



4.1 The Inverted Pendulum as a DTLHS 

The inverted pendulum |fT9ll (see Fig. [3]) is modeled by taking the angle 9 and 
the angular velocity 9 as state variables. The input of the system is the torquing 
force u ■ F, that can influence the velocity in both directions. Here, the variable u 
models the direction and the constant F models the intensity of the force. Differ- 
ently from [fT9l , we consider the problem of finding a discrete controller, whose 
decisions may be only "apply the force clockwise" (u = 1), "apply the force 
counterclockwise" (u = —1)", or "do nothing" (u = 0). The behaviour of the 
system depends on the pendulum mass m, the length of the pendulum I, and the 
gravitational acceleration g. Given such parameters, the motion of the system is 
described by the differential equation 9 = | sin 9 + ^uF. In order to obtain a 
state space representation, we consider the following normalized system, where 
X\ is the angle 9 and x 2 is the angular speed 9: 

J X\ = X2 , 

I *2 = fsinxi + ^wF 
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The discrete time model obtained from the equations in ([T|) by introducing a con- 
stant T that models the sampling time is: 

(x[ = X\ + Tx 2 ) A (x' 2 = x 2 + Tj sinxi + T-^uF) 

that is not linear, as it contains the function sinxi. A linear model can be find by 
under- and over- approximating the non linear function sinx. In our experiments 
(Sect. [4]), we will consider the linear model obtained as follows. 

First of all, in order to exploit sinus periodicity, we consider the equation x\ = 
27r?/fc + y a , where y k represents the period in which x\ lies and y a G [— n, 7r£] 
represents the actual x x inside a given period. Then, we partition the interval 
[-7r,7r] in four intervals: h = [-vr,-f],J 2 = [-f,0],/ 3 = [0, f], h = [f, tt] . 
In each interval U (i G [4]), we consider two linear functions f^(x) and and 
ff(x), such that for all x G I», we have that f~{x) < sinx < f^(x). As an 
example, ff~(y a ) = -0.637y a - 2 and f{(y a ) = -0.707y Q - 2.373. 

Let us consider the set of fresh continuous variables Y r = {y a , y sin } and the set 
of fresh discrete variables Y d = {y k , y q , y u y 2 , y 3 , y*}, being y u ...,y 4 boolean 
variables. The DTLHS model Ip for the inverted pendulum is the tuple (X, U, 
Y, N), where X = {x±, x 2 } is the set of continuous state variables, U = {u} is 
the set of input variables, Y = Y r U Y d is the set of auxiliary variables, and the 
transition relation N(X, U, Y, X') is the following predicate: 

(x[ =Xi + 2ny q + Tx 2 ) A (x' 2 = x 2 + Tf y sin + T^uF) 

A Aie[4] Vi friVoc) < Vsin < ftiVa) 

A Aie[4] Vi^VaeliA J2ie[4) Vi > 1 
A X\ — 2ny k + y a A — n < x[ < n 

Overapproximations of the system behaviour increase system nondeterminism. 
Since Xp dynamics overapproximates the dynamics of the non-linear model, the 
controllers that we synthesize are inherently robust, that is they meet the given 
closed loop requirements notwithstanding nondeterministic small disturbances 
such as variations in the plant parameters. Tighter overapproximations of non- 
linear functions makes finding a controller easier, whereas coarser overapproxi- 
mations makes controllers more robust. 

The typical goal for the inverted pendulum is to turn the pendulum steady 
to the upright position, starting from any possible initial position, within a given 
speed interval. 

'in this section we write tt for a rational approximation of it. 
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Figure 4: Multi-input Buck DC-DC converter. 



4.2 Multi-input Buck DC-DC converter 

The multi-input buck DC-DC converter [25J in Fig.[4]is a mixed-mode analog cir- 
cuit converting the DC input voltage (V{ in Fig. [4]) to a desired DC output voltage 
(v o in Fig. [4]). As an example, buck DC-DC converters are used off-chip to scale 
down the typical laptop battery voltage (12-24) to the just few volts needed by 
the laptop processor (e.g. 112610 as well as on-chip to support Dynamic Voltage 
and Frequency Scaling (DVFS) in multicore processors (e.g. lfT8lO . Because of 
its widespread use, control schemas for buck DC-DC converters have been widely 
studied (e.g. see lfT8ll26lO . The typical software based approach (e.g. see 112610 is 
to control the switches u\, . . . , u n in Fig. H] (typically implemented with a MOS- 
FET) with a microcontroller. 

In such a converter (Fig. [4]), there are n power supplies with voltage values 
V~i, ... , V n , n switches with voltage values v™, . . . ,v% and current values I™, . . . , 1% 
and n input diodes D , . . . , D n _i with voltage values v®,..., v^_ x and current 
Iq,..., (in the following, we will write v D for Vq and i D for i^). 

The circuit state variables are it, and Vc- However we can also use the pair 
%l, vo as state variables in the DTLHS model since there is a linear relationship 
between i L , v c and Vq, namely: vq = ra + Ii iL H — ^tr v c- We model the n-input 
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buck DC-DC converter with the DTLHS B n = (X, U, Y, N), with X = [i L , v ], 
U = [m, . . ., u n ], Y = [v D , uf , . . . , v%_ lt i D , Ii, ■ ■ ■, II, Ui, • • •, <]• 

The transition relation N is as follows. From a simple circuit analysis (e.g. 
see Il2"0l0 we have the following equations: 

ii = a\,ih + cli,2Vq + a 1>3 v D 

Vo = CL2,lh + d2,2Vo + a 2,3^D 

where the coefficients a i: j depend on the circuit parameters R, r L , r c , L and C in 
the following way: 01,1 = - T ±, a lj2 = -\, a h3 = -±, a 2 ,i = ^f^h^ + J], 
a 2,2 = + £7] > a 2,3 = — ^ 7^ • Using a discrete time model with sampling 

time T (writing a;' for x(t + 1)) we have: 

i' L = (1 + Ta 1A )i L + Ta h2 v + Ta h3 v D 
v' = Ta 2>1 i L + (1 + Ta 2 ^)v + Ta 2)3 v D . 

The algebraic constraints stemming from the constitutive equations of the switch- 
ing elements are the following: 

qo ->■ (v D = RoniD) qo ->■ (y D = Roain) v D =v%- V n 
qo -> (i D > 0) q -> (u B < 0) i L = i D + E"=i ^ 

Ai 6 [n] » -> = Ronlf) Ai £ [n] * ~> («? = «aff^) 

A< 6[ „] % -> (i? > 0) Ai 6 [n] ft -> K p < o) 

A ie[ n-1] «i "> = ^j;) A ie[ «-1] % "> = R o^j) 
f\ ie[n] VD = V?+vP-Vi 

4.3 Experimental Settings 

All experiments have been carried out on an Intel(R) Xeon(R) CPU @ 2.27GHz, 
with 23GiB of RAM, Kernel: Linux 2.6.32-5-686-bigmem, distribution Debian 
GNU/Linux 6.0.3 (squeeze). 

As in ITT91 . we set pendulum parameters / and m in such a way that f = 1 
(i.e. I = g) and ^2 = 1 (i.e- m = i). As for the quantization, we set A Xl = 
[— l.Lr, l.l7r] and = [—4, 4], and we define Ax F = A Xl x x A u . The goal 
region is defined by the predicate Gz F (X) = (— p < X\ < p) A (— p < x 2 < p), 
where p G {0.05, 0.1}, and the initial region is defined by the predicate I Xf (X) = 

(-7T < Xx < 7T) A (-4 <X 2 < 4). 
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Figure 5: K mgo enabled ac- Figure 6: K 5C enabled ac- Fi S ure 7: Simulation of 

--7-fC" sc tR^S /r n\ 

tions (X .5,6=9) tions (X . 5 , 6 = 9) x o.5 » x o.5 (° = 9 ) 

In the multi-input buck DC-DC converter with n inputs B n , we set constant 
parameters as follows: L = 2 • 1CT 4 H, = 0.1 f2, rc = 0.1 £1, R = 5 Q, 
C = 5 • 10" 5 F, ^on = fi, R oS = 10 4 n, and V t = 10* V for i e [n]. As 
for the quantization, we set A iL = [—4,4] and A vo = [—1,7], and we define 
Ag n = A iL x A VQ x A Ul x ... x A Un . The goal region is defined by the predicate 
G Bn (X) = (-2 < i L < 2) A (5-p < wo < 5+p), where p = 0.01, and the initial 
region is defined by the predicate 7g n (Jf) = (—2 < < 2) A (0 < f o < 6.5). 

In both examples, we use uniform quantization functions dividing the domain 
of each state variable x into 2 b equal intervals, where b is the number of bits 
used by AD conversion. The resulting quantizations are Qx F ,b = {Az F ,T b ) and 
Q.B„,b = (Aj3 n ,T b ). Since in both examples have two quantized variables, each 
one with b bits, the number of quantized (abstract) states is exactly 2 2b . 

We run QKS and QKS SC on the inverted pendulum model I F for different 
values of F (force intensity), and on the multi-input buck DC-DC model B n , for 
different values of parameter n (number of the switches). For the inverted pen- 
dulum, we use sampling time T = 0.1 seconds when the quantization schema 
has less than 10 bits and T = 0.01 seconds otherwise. For the multi-input buck, 
we set T = 10~ 6 seconds. For both systems, we run experiments with different 
quantization schema. 

For all of such experiments, QKS and QKS SC output a control software in C 
language. In the following, we will denote with K mg ° the output of QKS, and 
with K sc the output of QKS SC on the same control problem. 

4.4 Experiments Discussion 

We compare the controller K mg ° e K sc by evaluating their size, as well as other 
non-functional requirements such as the set-up time and the ripple of the closed 
loop system. Tables [T] and [2] summarize experimental results. 
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In both tables, column |if mgo | (resp. |i^ sc |) shows the size (in Kbytes) of the 
. o file obtained by compiling the output of QKS (resp. QKS SC ) with gcc. Column 
ij^ngL shows the ratio between the size of the two controllers and it illustrates 
how much one gains in terms of code size by using function smallCtr instead of 
mgoCtr. 

Column Path mgo (resp. Path sc ) shows the average length of (worst case) paths 
to the goal region in the closed loop abstract systems i-i( Kr " g °) (resp. H^ KSC ^). This 
number, multiplied by the sampling time, provides an estimation of the average 
set-up time of the closed loop system. Column jrfgbo shows the ratio between 
the values in the two previous columns, and it provides an estimation of the price 
one has to pay (in terms of optimality) by using a small controller instead of the 
mgo controller. 

The last three columns show computation time of function smallCtr (column 
CPU SC , in seconds), the ratio with respect to mgoCtr (column ( ^^ ), and small- 
Ctr memory usage (column Mem, in Kbytes). Function smallCtr is obviously 
slower than mgoCtr, because of non- optimality: it performs more loops, and it 
deals with more complex computations. We observe that the controller synthesis 
off-line computation is not a critical parameter in the control software synthesis 
flow. 

As we can see in Tab. [TJ and Tab. [2] the size of the controller K sc tends to 
become smaller and smaller with respect to the size of the correspondent controller 
K mgo as the complexity of the model grows. This is a general trend, both with 
respect to the number of switches of the multi-input buck, and with respect to the 
number of bits of the quantization schema (in both examples). In particular, in the 
12 bits controllers for the inverted pendulum, the size of K sc is just about 5% of 
the size of fT mgo . 

A less expected result is that the average worst case length of paths to the goal 
in the closed loop system 1-L^ K ^ tends to get slightly closer to the one in i-i^ Kvng °) 
as the complexity of the system grows. H^ K ' simulations show an even better 
behaviour. As an example, Fig. [7] shows a simulation of the closed loop systems 
and XqP°, by considering a quantization schema of 9 bits and starting from 
X\ = 7r,x 2 = 0. In order to show pendulum phases, x\ is not normalized in 
[— 7T, it), thus also x\ = 2n is in the goal. As we can see, the small controller 
needs slightly more time (about a second) to reach the goal. Interestingly, Xq^ s ° 
follows a smarter trajectory, with a swing less. 

Fig. [8] (resp. Fig. [9]) shows the ripple of Xi in the inverted pendulum closed 
loop system T^ g ° (resp. Z^), by focusing on the part of the simulation in Fig. [7] 
which is (almost always) inside the goal. As we can see, the small controller yields 
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Figure 8: Ripple for K mgo (b = 9) Figure 9: Ripple for K 5C (b = 9) 

a worst ripple (0.0002 vs 0.0001), which may be however neglected in practicle 
cases. 

To visualize the very different nature of these controllers, Fig.|5](resp. Fig. [6]) 
shows actions that are enabled by K mgo (resp. K sc ) in all states of the admissible 
region of the inverted pendulum control problem X .5, by considering a quantiza- 
tion schema of 9 bits. In these pictures, different colors mean different actions. 
We observe that in Fig. [5] we need 7 colors, because in a given state K mgo may 
enable any nonempty subset of the set of actions. As expected, K sc control strat- 
egy is much more regular and thus simpler than the one of K mgo , since it enables 
the same action in relatively large regions of the state space. Some simmetries of 
Fig.[5]are broken in Fig.[6]because when more actions could be choosen, smallCtr 
gives always priority to one of them (Alg.l2l lines 10-11). 



5 Conclusions 

We presented a novel automatic methodology to synthesize control software for 
Discrete Time Linear Hybrid Systems, aimed at generating small size control soft- 
ware. 

We proved our methodology to be very effective, by showing that we synthe- 
size controllers up to 20 times smaller than time optimal ones. Small controllers 
keep other software non-functional requirements (e.g. WCET) at the cost of being 
suboptimal with respect to system level non-functional requirements (i.e. set-up 
time and ripple). Such inefficiency may be fully justified since it allows a designer 
to consider much cheaper microcontroller devices. 

Future work may consist of further exploiting small controller regularities in 
order to improve on other software as as well system level non-functional require- 
ments. 
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